Getting **** when variable value contains #

We currently seem to be facing an issue where if a variable value contains “#” in the end we get **** for the value when running as a PowerShell script in OD.

The snippet below produces the incorrect result

Write-Verbose "Getting value for property [$propertyName] from KeyVault [$KeyVault] using secret [$($variable.KeyVaultSecret)]"
$kvSecret = Get-AzureKeyVaultSecret -VaultName $KeyVault -Name $variable.KeyVaultSecret
$propertyValue = $kvSecret.SecretValueText
$isSensitive = $true
Write-Verbose "Retrieved value is: [$($variable.KeyVaultSecret)]"

After this piece of code, $property value should be “Testing123#” but instead it prints the value “*******”
Below is the logs from Octopus that show this behavior

Processing variable [DBPassword]
Getting value for property [DBPassword] from KeyVault [modernsurvey-weu-dev] using secret [SQL-OctopusDeploy]
The retrieved property value is: [dbpasswordvalue]

Processing variable [IISPassword]
Getting value for property [IISPassword] from KeyVault [modernsurvey-weu-dev] using secret [IISPassword]
The retrieved property value is: [********]

Processing variable [OctopusDeployKey]
Getting value for property [OctopusDeployKey] from KeyVault [modernsurvey-weu-dev] using secret [OctopusApiKey]
The retrieved property value is: [********]

When I update the source, in this case Azure KeyVault, to have a value that does not contain #, then both the IISPassword and OctopusDeployKey print as expected. The issue is not with the key vault as it returns the value as expected, OD seems to be doing something with the value and perhaps treating it as a secret and not printing the value.

Can you provide any insight as to why this might be behaving this way? Our OD version is 3.17.1

Thanks!

On furthur investigation, it appears that we continue to get ***** for the value of the “OctopusDeployKey” variable and is unrelated to the value of the “IISPassword” variable. The API key itself does not have # but does have a “-” in it.

Hi,

It looks like this might be due to an issue with the PowerShell script, the last line Write-Verbose "Retrieved value is: [$($variable.KeyVaultSecret)]" is trying to print the value of the variable that contains the KeyVaultSecret and as that is most likely (I’m assuming here) a sensitive variable, we output ******. That line should probable be Write-Verbose "Retrieved value is: [$propertyValue]".

I hope that helps!

Thank you and best regards,
Henrik

Hello,

I will give it a shot but don’t think that is it at all. That does not explain why other values from the Key Vault print and some others don’t. This also does not explain why after changing the IISUser password to not contain a # it now prints the value.

On Sep 17, 2017, at 7:18 PM, Henrik Andersson <tender2+ddd72ed48f@tenderapp.commailto:tender2+ddd72ed48f@tenderapp.com> wrote:

Hi,

Another possibility could be that there is another sensitive variable in your project with the same value that is returned from KeyVault and this is why we’re logging it as ******.

You can test this by creating a new project, and put in a step that runs the script that is causing the issue and see if this prints out the values as expected.

Thanks,
Henrik

Hi,
I already tried that in a new project with the exact same results.It prints out ***** and prints out the value after I change it in the KV to remove the # in the value. Also I have the same issue with the OD API key.

Hi,

I’ve just tested this with my own Azure Key vault. I added a secret with the value Testing123# and used your script above to retrieve and print the returned value and the only way I can replicate the issue you are seeing is if I add a sensitive variable to the project (or to a library variable set and add that to the project) with the same value, so I’m not sure why you are having these issues.

Can you add this variable OctopusPrintEvaluatedVariables with a value of true to your project and create a new release and deploy that and send me the raw log from that deployment.

Can you also send through some screenshots of your project deployment process and variables?

Thank you and best regards,
Henrik

Hello,
I think that’s it right there. I do have sensitive variables in the project that contain the same value. Does that imply that before you output any values, from variables or otherwise you check to see if these values match a sensitive variable and if so mask them? It take it it, it only does this when displaying the value and not during assignment to other variable. Is this correct?

Hi,

Yes, in the logs we mask any value that match the value of a sensitive variable for security purposes, it does not impact the actual value of the variable.

Thanks,
Henrik